ISO 27701, Clause 5.8 – Improvement

ISO 27701 Controls and Clauses Explained

Book a demo

female,manager,mentor,teach,help,male,intern,trainee,new,employee

For the purposes of ISO adherence – across all information security and privacy protection standards – nonconformity can broadly be defined as any failure to meet a clause-specific standard.

Nonconformities can occur within internal or external guidance points, either towards an organisation’s own set of policies and procedures, or as applicable towards their regulatory and/or legal requirements as a PII processor.

What’s Covered in ISO 27701 Clause 5.8

ISO 27701 Clause 5.8 deals with an organisation’s ability to detect, manage, resolve and evaluate nonconformities within the scope of a PIMS, and its broader privacy protection policy.

The guidance revolves around two key stages – dealing with nonconformities at point of discovery, and what should happen in order to prevent them from recurring.

Both of ISO 27701 5.8’s sub-clauses contain information provided within ISO 27001, but in the case of ISO 27701, are instead applicable to nonconformities within privacy protection and PIMS management.

  • ISO 27701 5.8.1 – Nonconformity and corrective action (References ISO 27001 Control 10.1)

  • ISO 27701 5.8.2 – Continual improvement (References ISO 27001 Control 10.2)

ISO 27701 5.8 doesn’t contain any additional guidance for PIMS-related activities, other than what is provided in the context of ISO 27001, and doesn’t hold any relevance within GDPR.

Jump to Topic
Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 5.8.1 – Nonconformity and Corrective Action

References ISO 27001 Control 10.1

When the organisation discovers a nonconformity, they should:

  1. Minimise the risks involved and take corrective actions as appropriate.

  2. Carefully consider any consequences, and take steps to address them.

  3. Keep in mind the need to both eliminate the nonconformity and prevent it from happening again. This should be done by:

    • Establishing why it happened.

    • Exploring the potential of similar occurrences where privacy is paramount, and PII is a consideration.
  4. Evaluate the effectiveness of any remedial steps taken.

  5. Amend the PIMS to account for any changes that have been made, or need to be made in order to improve its effectiveness.

ISO stipulates that any corrective action taken should be proportionate to the risks caused by the nonconformity itself.

Documented evidence should be retained to evidence:

  • The underlying nature of the nonconformity.

  • Any remedial actions that have been taken.

  • How those actions have impacted upon privacy protection, PII and the ongoing development of a PIMS.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 5.8.2 – Continual Improvement

References ISO 27001 Control 10.2

Organisations should ask themselves three questions when seeking to improve their PIMS, and by proxy, their privacy protection policy:

  • Suitability – Is the PIMS a good fit for the nature of their operation, and the kind of PII and information they process on a regular basis?

  • Adequacy – Does the PIMS have sufficient operational capacity to carry out its role, and does it contain features relevant to the organisation’s responsibilities?

  • Effectiveness – Is the PIMS doing its job, within the scope of what’s required of it?

Supporting Controls From ISO 27001 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27001 RequirementAssociated GDPR Articles
5.8.1Nonconformity and Corrective Action10.1 – Nonconformity and Corrective Action for ISO 27001None
5.8.2Continual Improvement10.2 – Continual Improvement for ISO 27001None

How ISMS.online Helps

By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.

With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27001 and ISO 27701 at the click of a button.

Find out how much time and money you’ll save on your journey to a combined ISO 27001 and 27701 certification using ISMS.online by booking a demo.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Explore ISMS.online's platform with a self-guided tour - Start Now